DNSChanger Malware Deadline: July 9th Has Arrived

The story begins in November 2011 when a group of hackers were arrested in Estonia, accused of having developed the dreaded DNSChanger Trojan that was able to spread with surprising ease, building a powerful botnet.

The botnet was operated by Rove Digital and altered infected users' DNS settings, pointing victims to malicious DNS servers in data centers in Estonia, New York, and Chicago.

The malicious DNS servers would alter users' searches to promote malicious URLs and fake products. Once discovered by the FBI, to give businesses and private individuals affected by DNSChanger time to clean infected systems, the agency replaced the Trojan’s DNS infrastructure with clean surrogate DNS servers.

By replacing the command servers, the Feds prevented further propagation of the malware. The FBI officially took over the botnet’s command-and-control (C&C) servers in November of 2011 as part of Operation Ghost Click.

For the fist time ever, under a court order first set to expire March 8,2012, the Internet Systems Corporation had planned the replacement of the DNS servers for the Rove Digital network. This would allow affected networks time to identify infected hosts, and avoid a sudden disruption of services to infected machines.

Despite the calls to check for infected units provided by the press and law enforcement, the situation is far from reassuring, because too many PCs are still infected and potentially vulnerable to the planned blackout. More than 3 million PCs worldwide were still infected with DNSChanger as of March 2012, so authorities extended the period before the planned shutdown of the surrogate servers.

In March a federal judge postponed the blackout of the surrogate servers for 120 days (until July 9, 2012) to give companies, businesses and governments more time to arrange a response to the threat.

July 9th is arrived...

The situation is precarious, as it has been estimated that tens of thousands of U.S. internet users could still infected by DNSChanger malware. The estimation is that 64,000 users in the United States, plus an additional 200,000 users outside the United States are still at risk.

Every machine that is still infected on July 9th will not able to navigate the Internet, despite numerous appeals from law enforcement and the media for users to check their systems for the malware. According to Internet Identity, about 58 of the Fortune 500 companies and at least two government agencies have one computer or router that is still infected.

Fortunately it is very easy to sanitize the infected machine, and nearly every security firm has provided a tool for it. More information on how to detect and clean up the malware can be found on a website www.dcwg.org. The FBI has also created a web page to check if your computer is using a rogue DNS, by simply providing its IP address.

Managing a network of servers, in my judgment, presents additional risks. History has taught us that no infrastructure is safe, and even the Pentagon’s networks, by admission of the government, have been hacked multiple time, on several occasions by Anonymous groups.

Well, the decision to postpone the shutdown of the servers may have opened the door to much more serious scenario.

I completely disagreed with the decision to maintain the network of surrogate servers, because the choice presented too many risks. Imagine what would have happened if the control of the network of servers had ended up in the wrong hands, allowing, for example a massive diffusion of more malicious and dangerous malware than DNSChanger.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.